Tag Archives: Metasploit Weekly Wrapup

Metasploit Wrap-Up

2023-02-24 Spencer McIntyre

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2023/02/24/metasploit-wrap-up-194/

Basic discover script improvements

Metasploit Wrap-Up

This week two improvements were made to the script/resource/basic_discovery.rc resource script. The first update from community member samsepi0x0 allowed commas in the RHOSTS value, making it easier to target multiple hosts. Additionally, adfoster-r7 improved the script by adding better handling for error output. This continues our trend of trying to provide more useful diagnostic information to our end users.

Google Summer of Code

The Metasploit Framework has been accepted to participate in Google’s Summer of Code program again for 2023. This event pairs new contributors with an experienced mentor as they work on an open source project (Metasploit in our case). We will soon be soliciting project proposals from the community for anyone interested in getting involved. Some project ideas are on the docs site, but folks are welcome to submit entirely new ideas for something they think would benefit the Metasploit community.

Web Based Module Counts

This week, adfoster-r7 improved our docs site with a running count of all the published modules. This information is kept up to date automatically and is a great resource for anyone looking for how many modules Metasploit has included without needing to install and start the framework. The page even allows users to dive deeper into types of modules and platforms in the same way as msfconsole.

New module content (2)

Froxlor Log Path RCE

Authors: Askar and jheysel-r7
Type: Exploit
Pull request: #17640 contributed by jheysel-r7
AttackerKB reference: CVE-2023-0315

Description: This module exploits a vulnerability in versions of Froxlor prior to 2.0.8 that allows an authenticated user to change the default log file to an arbitrary path on the system. Using this, an authenticated user can write a Twig template, that when rendered, will execute arbitrary code and grant a shell or Meterpreter session as the www-data user.

pyLoad js2py Python Execution

Authors: Spencer McIntyre and bAu
Type: Exploit
Pull request: #17652 contributed by zeroSteiner
AttackerKB reference: CVE-2023-0297

Description: This adds an exploit for CVE-2023-0297 which is an unauthenticated Javascript injection in pyLoad’s Click ‘N’ Load service.

Enhancements and features (1)

#17674 from adfoster-r7 – Updates the script/resource/basic_discovery.rc script to better detect when the Metasploit database is not connected as well as improving error output.

Bugs fixed (2)

#17650 from samsepi0x0 – Updates the script/resource/basic_discovery.rc script to support commas in RHOSTS values.
#17660 from bugch3ck – This updates the location of where registry hives are temporarily stored by the windows_secrets_dump module.
#17663 from manishkumarr1017 – This fixes an issue where action names were being treated as case sensitive.

Documentation added (2)

#17637 from adfoster-r7 – This PR adds the latest module information to docs.metasploit.com as a quick way to explore Metasploit’s available modules.
#17685 from samsepi0x0 – Fixes a broken link within Metasploit’s Google Summer of Code 2023 Project Ideas.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

2023-02-17 Jacquie Harris

Post Syndicated from Jacquie Harris original https://blog.rapid7.com/2023/02/17/metasploit-wrap-up-193/

Cisco RV Series Auth Bypass and Command Injection

Metasploit Wrap-Up

Thanks to community contributor neterum, Metasploit framework just gained an awesome new module which targets Cisco Small Business RV Series Routers. The module actually exploits two vulnerabilities, an authentication bypass CVE-2022-20705 and a command injection vulnerability CVE-2022-20707 in order to achieve code execution in the context of user www-data.

New module content (2)

Cisco RV Series Authentication Bypass and Command Injection

Authors: Biem Pham, Neterum, and jbaines-r7
Type: Exploit
Pull request: #17599 contributed by neterum
Attacker KB Reference: CVE-2022-20707

Description: An exploit for Cisco RV160, RV260, RV340 and RV345 Small Business Routers prior to firmware version 1.0.03.26 has been added which exploits CVE-2022-20705, an authentication bypass, and CVE-2022-20707, a command injection vulnerability, to achieve remote code execution as the www-data user on affected devices as an unauthenticated attacker.

GitLab GitHub Repo Import Deserialization RCE

Authors: Heyder Andrade, RedWay Security, and William Bowling (vakzz)
Type: Exploit
Pull request: #17281 contributed by heyder
AttackerKB reference: CVE-2022-2992

Description: This adds an exploit for CVE-2022-2992 which is authenticated remote command execution in GitLab.

Enhancements and features (1)

#17594 from zeroSteiner – The DLL template code has been updated so that tools such as msfvenom can use DLL templates with payloads that were larger than 4096 bytes, such as unstaged payloads. Note that this update only applies to the default DLL templates that Metasploit provides, and not to external DLL templates which are restricted to 4096 bytes at this time.

Bugs fixed (1)

#17645 from adfoster-r7 – Fixes a bug that caused warnings to be output on Arch Linux environments when starting msfconsole

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2023-02-10 Navya Harika Karaka

Post Syndicated from Navya Harika Karaka original https://blog.rapid7.com/2023/02/10/metasploit-weekly-wrap-up-192/

Taking a stroll down memory lane (Tomcat Init Script Privilege Escalation)

Metasploit Weekly Wrap-Up

Do you remember the issue with Tomcat init script that was originally discovered by Dawid Golunski back in 2016 that led to privilege escalation? This week’s Metasploit release includes an exploit module for CVE-2016-1240 by h00die. This vulnerability allows any local users who already have tomcat accounts to perform privilege escalation and gain access to a target system as a root user. This exploit can be used against the following tomcat versions Tomcat 8 (8.0.36-2), Tomcat 7 (7.0.70-2) and Tomcat 6 (6.0.45+dfsg-1~deb8u1).

Lenovo Diagnostics Driver IOCTL memmove

Our own Jack Heysel contributed an exploit module for CVE-2022-3699 using the proof of concept created by alfarom256. A vulnerability within Lenovo Diagnostics Driver due to incorrect access control allows low-privileged users to issue device IOCTLs to perform arbitrary physical/virtual memory read/write.

New module content (8)

Nagios XI 5.5.6 to 5.7.5 – ConfigWizards Authenticated Remote Code Execution

Author: Matthew Mathur
Type: Exploit
Pull request: #17494 contributed by k0pak4
AttackerKB reference: CVE-2021-25298

Description: A new authenticated RCE module for NagiosXI has been added which exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298 to get a shell as the apache user on NagiosXI devices running version 5.5.6 to 5.7.5 inclusive.

F5 Big-IP Create Admin User

Author: Ron Bowes
Type: Exploit
Pull request: #17392 contributed by rbowes-r7

Description: This PR adds a privilege escalation module for F5 that uses the unsecured MCP socket to create a new root account.

Apache Tomcat on Ubuntu Log Init Privilege Escalation

Authors: Dawid Golunski and h00die
Type: Exploit
Pull request: #17483 contributed by h00die
AttackerKB reference: CVE-2016-1240

Description: Adds a new exploit/linux/local/tomcat_ubuntu_log_init_priv_esc module for CVE-2016-1240 targetting Tomcat (6, 7, 8). By default repositories on Debian-based distributions (including Debian, Ubuntu etc.) provide a vulnerable tomcat init script that allows local attackers who have already gained access to the tomcat account (for example, by exploiting an RCE vulnerability in a java web application hosted on Tomcat, uploading a webshell etc.) to escalate their privileges from tomcat user to root and fully compromise the target system.

Fortra GoAnywhere MFT Unsafe Deserialization RCE

Author: Ron Bowes
Type: Exploit
Pull request: #17607 contributed by rbowes-r7
AttackerKB reference: CVE-2023-0669

Description: This PR adds a module that exploits CVE-2023-0669, which is an object deserialization vulnerability in Fortra GoAnywhere MFT.

ManageEngine ADSelfService Plus Unauthenticated SAML RCE

Authors: Christophe De La Fuente, Khoa Dinh, and horizon3ai
Type: Exploit
Pull request: #17556 contributed by cdelafuente-r7
AttackerKB reference: CVE-2022-47966

Description: This PR adds an exploit that uses an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ADSelfService Plus versions 6210 and below (https://github.com/advisories/GHSA-4w3v-83v8-mg94).

ManageEngine ServiceDesk Plus Unauthenticated SAML RCE

Authors: Christophe De La Fuente, Khoa Dinh, and horizon3ai
Type: Exploit
Pull request: #17527 contributed by cdelafuente-r7
AttackerKB reference: CVE-2022-47966

Description: This adds an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below. (https://github.com/advisories/GHSA-4w3v-83v8-mg94).

ManageEngine Endpoint Central Unauthenticated SAML RCE

Authors: Christophe De La Fuente, Khoa Dinh, h00die-gr3y, and horizon3ai
Type: Exploit
Pull request: #17567 contributed by h00die-gr3y
AttackerKB reference: CVE-2022-47966

Description: This adds an exploit targeting CVE-2022-47966, an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine Endpoint Central and MSP versions 10.1.2228.10 and below. See https://github.com/advisories/GHSA-mqq7-v29v-25f6 and ManageEngine security advisory.

Lenovo Diagnostics Driver IOCTL memmove

Authors: alfarom256 and jheysel-r7
Type: Exploit
Pull request: #17371 contributed by jheysel-r7
AttackerKB reference: CVE-2022-3699

Description: This PR adds a module that makes use of incorrect access control for the Lenovo Diagnostics Driver allowing a low-privileged user the ability to issue device IOCTLs to perform arbitrary physical/virtual memory read/write.

Enhancements and features (3)

#17597 from bcoles – Fix notes for SideEffects and Reliability in the auxiliary/dos/mirageos/qubes_mirage_firewall_dos module.
#17603 from dwelch-r7 – Updates admin/kerberos/inspect_ticket to show the UPN and DNS Information within a decrypted PAC.
#17615 from adfoster-r7 – Adds missing module notes for stability, reliability, and side effects to several modules.

Bugs fixed (2)

#17591 from zeroSteiner – A bug has been fixed in metasm_shell and nasm_shell whereby the shells were using readline but the dependency wasn’t correctly imported. This has since been fixed and improved validation has been added.
#17592 from zeroSteiner – A bug has been fixed in the bypassuac_injection_winsxs module whereby a string was not properly being treated as being NULL terminated. Additionally, the definitions of the FindFirstFileA and FindFirstFileW functions have been corrected so that they work on x64 systems.

Documentation added (3)

#17398 from bwatters-r7 – Adds additional details on using command stagers.
#17587 from adfoster-r7 – This PR updates docs.metasploit.com to use the latest ruby conventions.
#17595 from mkonda – Updates the documentation on debugging dead Meterpreter sessions to use the correct option name ReverseListenerBindAddress.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2023-02-03 Dean Welch

Post Syndicated from Dean Welch original https://blog.rapid7.com/2023/02/03/metasploit-weekly-wrap-up-191/

Metasploit 6.3 is out!

Metasploit Weekly Wrap-Up

Earlier this week we announced the release of Metasploit 6.3 which came with a tonne of new modules and improvements.
The whole team worked super hard on this and we’re very excited that everyone can now get their hands on it and all of the new features it has to offer!
I won’t go over everything we did here because we have a whole separate blog post dedicated to the 6.3 release that you should check out if you missed it.

Dirty Cow available on macOS

We have a new module provided by timwr to exploit Dirty Cow on macOS. This module exploits a race condition in the kernel that gives the opportunity for a user to get code execution as root.

New module content (5)

CWP login.php Unauthenticated RCE

Authors: Numan Türle and Spencer McIntyre
Type: Exploit
Pull request: #17511 contributed by zeroSteiner
AttackerKB reference: CVE-2022-44877

Description: Adds an exploit for CVE-2022-44877 which is an unauthenticated command injection in CentOS Control Web Panel <0.9.8.1147. Successful exploitation results in code execution as the root user.

io_uring Same Type Object Reuse Priv Esc

Authors: Mathias Krause, Ryota Shiga, and h00die
Type: Exploit
Pull request: #17301 contributed by h00die
AttackerKB reference: CVE-2022-1043

Description: This module exploits Linux LPE CVE-2022-1043, a bug in io_uring leading to an additional put_cred() that can be exploited to hijack credentials of other processes.

vmwgfx Driver File Descriptor Handling Priv Esc

Authors: Mathias Krause and h00die
Type: Exploit
Pull request: #17300 contributed by h00die
AttackerKB reference: CVE-2022-22942

Description: This PR adds a linux privilege escalation against VMWare virtual machines with kernel 4.14-rc1 – 5.17-rc1 due to a VMWare driver bug.

macOS Dirty Cow Arbitrary File Write Local Privilege Escalation

Authors: Ian Beer, Zhuowei Zhang, and timwr
Type: Exploit
Pull request: #17415 contributed by timwr
AttackerKB reference: CVE-2022-46689

Description: This module is the macOS equivalent of the Dirty Cow vulnerability and allows for an unprivileged user to execute code as root.

Veeam Backup and Replication Credentials Dump

Author: npm
Type: Post
Pull request: #17406 contributed by npm-cesium137-io

Description: Post credential capture module Veeam Backup & Recovery and Veeam ONE Monitor versions 9.x – 11.x.

Enhancements and features (11)

#16946 from cgranleese-r7 – Updates the show targets and show actions command to display a visual indicator beside the currently selected value.
#17481 from h00die – An update has been made to the modules/auxiliary/scanner/http/options.rb module to modernize a few of its options, tidy up the code, and to handle an edge case when a target server might respond with a Tomcat error page.
#17504 from ErikWynter – Two aliases for show favorites have been added, namely favorite -l and favorites, to allow for easier listing of modules that users have marked as their favorites.
#17559 from cgranleese-r7 – Adds support for Ruby 3.2
#17560 from adfoster-r7 – Updates the Kerberos inspect_ticket module to show unsupported pac buffer ul_types in a clearer way to the user.
#17563 from bcoles – Improves documentation and code quality for modules/exploits/multi/local.
#17564 from serializingme – Improves the CIPCTlv definition for the exploits/windows/local/anyconnect_lpe module.
#17570 from zeroSteiner – The list of default queries used by the ldap_query module has been updated to add in the ENUM_DOMAIN and ENUM_MACHINE_ACCOUNT_QUOTA queries and to make some small updates to existing queries.
#17575 from zeroSteiner – Updates the Kerberos ccache functionality to automatically perform sname switching on Service Tickets when the ticket sname does not match the Metasploit module’s required sname. This allows for a service ticket associated with the SPN service_a/host.domain.local to be used and updated to service_b/host.domain.local dynamically as part of service authentication.
#17577 from bcoles – Updates modules/exploits/qnx to run the check command before attempting to exploit the target.
#17581 from bcoles – This PR modifies the conditions in 45 local privilege escalation modules to check whether the operator set ForceExploit to true before checking the permissions required for exploitation on the remote target, which is more efficient and quieter over the network.

Bugs fixed (4)

#17444 from hamax97 – A bug has been fixed whereby issuing a command line argument that contained nested equals signs would not be parsed correctly, and would instead be treated as two separate command line statements.
#17557 from zeroSteiner – This fixes the logon timestamp in the MS14-068 exploit so the generated ticket works.
#17558 from cgranleese-r7 – Fixes running msfconsole’s analyze command crashing when a WinRM session was opened.
#17561 from gwillcox-r7 – This fixes the direction for some Railgun function definitions in iphlpapi.

Documentation added (1)

#17565 from adfoster-r7 – Updates the docs site to add color to Metasploit console examples.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2023-01-27 Shelby Pace

Post Syndicated from Shelby Pace original https://blog.rapid7.com/2023/01/27/metasploit-weekly-wrap-up-190/

Cacti Unauthenticated Command Injection

Metasploit Weekly Wrap-Up

Thanks to community contributor Erik Wynter, Metasploit Framework now has an exploit module for an unauthenticated command injection vulnerability in the Cacti network-monitoring software. The vulnerability is due to a proc_open() call that accepts unsanitized user input in remote_agent.php. Provided that the target server has data that’s tied to the POLLER_ACTION_SCRIPT_PHP action, the vulnerable proc_open() call can be reached with a single GET request. Successful exploitation will result in a session as the user running the Cacti server.

Python Meterpreter Gets a Few Upgrades

The latest release includes some improvements to Python Meterpreter which gets the payload a little closer to feature parity with Windows Meterpreter. For Windows Python Meterpreter, NtAlexio2 added the enumdesktops command, which like with Windows Meterpreter, enumerates all of the accessible desktops it can find. Our very own zeroSteiner added dual stack IPv4 / IPv6 TCP support for Python Meterpreter. Working across both Windows and Linux, this improvement enables Python Meterpreter to listen on all interfaces it can listen on, including ones that have IPv6 addresses.

New module content (1)

Cacti 1.2.22 unauthenticated command injection

Authors: Erik Wynter, Owen Gong, Stefan Schiller, and Steven Seeley
Type: Exploit
Pull request: #17407 contributed by ErikWynter
AttackerKB reference: CVE-2022-46169

Description: This adds an exploit that targets various versions of Cacti network-monitoring software. For versions 1.2.22 and below, there exists an unauthenticated command injection vulnerability in remote_agent.php that when exploited, will result in remote code execution as the user running the Cacti server.

Enhancements and features (3)

#17340 from zeroSteiner – The Python Meterpreter has been updated to warn that the bind information is ignored when a reverse port forward is created to prevent confusion when this information is supplied by a user.
#17518 from zeroSteiner – A new adapter has been added to run Python payloads on Windows. This is notably useful for testing Python payloads as SYSTEM or delivered on demand through an exploit module such as psexec.
#17519 from jmartin-r7 – Improves the SMTP delivery error handling for the auxiliary/client/smtp/emailer module.

Bugs fixed (2)

#17516 from zeroSteiner – The version of Metasploit-payloads has been bumped up to add support for dual IPv4/IPv6 stacks to Python Meterpreter, add support for enumerating desktops with the enumdesktops command to Python Meterpreter, and also add support for binding to the specified localhost to compiled versions of Meterpreter.
#17525 from adfoster-r7 – Fixes a deprecation warning when using socks proxy support in Metasploit.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2023-01-20 Jeffrey Martin

Post Syndicated from Jeffrey Martin original https://blog.rapid7.com/2023/01/20/metasploit-weekly-wrap-up-189/

See something say something

Metasploit Weekly Wrap-Up

Have an idea on how to expand on Metasploit Documentation on https://docs.metasploit.com/? Did you see a typo or some other error on the docs site? Thanks to adfoster-r7, submitting an update to the documentation is as easy as clicking the ‘Edit this page on GitHub’ link on the page you want to change. The new link will take you directly to the source in Metasploit’s GitHub so you can quickly locate the Markdown and submit a PR.

New module content (3)

Mirage firewall for QubesOS 0.8.0-0.8.3 Denial of Service (DoS) Exploit

Author: Krzysztof Burghardt
Type: Auxiliary
Pull request: #17348 contributed by burghardt
AttackerKB reference: CVE-2022-46770

Description: This PR adds a module that performs a DoS attack on Mirage Firewall versions 0.8.0-0.8.3.

WordPress Paid Membership Pro code Unauthenticated SQLi

Authors: Joshua Martinelle and h00die
Type: Auxiliary
Pull request: #17479 contributed by h00die
AttackerKB reference: CVE-2023-23488

Description: This adds an exploit module that leverages an unauthenticated SQLi against WordPress plugin Paid Membership Pro. This vulnerability is identified as CVE-2023-23488 and affects versions prior to 2.9.8. This module retrieves WordPress usernames and password hashes using Time-Based Blind SQL Injection technique.

Ivanti Cloud Services Appliance (CSA) Command Injection

Authors: Jakub Kramarz and h00die-gr3y
Type: Exploit
Pull request: #17449 contributed by h00die-gr3y
AttackerKB reference: CVE-2021-44529

Description: A new module has been added for CVE-2021-44529, an unauthenticated code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) before version 4.6.0-512. Successful exploitation requires sending a crafted cookie to the client endpoint at /client/index.php to get command execution as the nobody user.

Enhancements and features (5)

#17343 from h00die – This makes performance improvements to the windows/local/unquoted_service_path module.
#17451 from h00die – This adds netntlm and netntlmv2 hashes support to auxiliary/analyze/crack_windows module.
#17466 from prabhatjoshi321 – This updates the auxiliary/scanner/smb/smb_version module to store additional service information in the database so it can be viewed later.
#17473 from adfoster-r7 – Updates the docs site to have an edit link at the bottom of each page which will take you to the corresponding markdown file on Github for editing.
#17480 from h00die – A new alias has been added for payloads called exploit which will perform the same action as to_handler, to help users familiar with exploit modules to use the same familiar exploit method to open handlers when using payloads.

Bugs fixed (3)

#17385 from smashery – This fixes the file write and file append methods to return the expected Boolean values rather than nil.
#17482 from adfoster-r7 – Fixes a connection issue with reverse_https stagers that are executed on Windows servers attempting to negotiate TLS1 when Metasploit was using OpenSSL3.
#17491 from zeroSteiner – A bug has been fixed in the lib/msf/core/exploit/remote/ldap.rb library that handles LDAP communications for several modules to ensure that failures use the right namespace when throwing errors to prevent crashes.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2023-01-13 Christopher Granleese

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2023/01/13/metasploit-weekly-wrap-up-188/

New module content (2)

Gather Dbeaver Passwords

Metasploit Weekly Wrap-Up

Author: Kali-Team
Type: Post
Pull request: #17337 contributed by cn-kali-team

Description: This adds a post exploit module that retrieves Dbeaver session data from local configuration files. It is able to extract and decrypt credentials stored in these files for any version of Dbeaver installed on Windows or Linux/Unix systems.

Gather MinIO Client Key

Author: Kali-Team
Type: Post
Pull request: #17341 contributed by cn-kali-team

Description: This adds a post module that gathers local credentials stored by the MinIO client on Windows, Linux, and MacOS.

Enhancements and features (2)

#17427 from gwillcox-r7 – This adds YARD documentation to the LDAP libraries for developers to reference.
#17447 from gwillcox-r7 – We now utilize ‘pry’ dependencies with support for newer Ruby versions.

Bugs fixed (3)

#17386 from smashery – A bug has been fixed whereby the HTTP library was parsing HTTP HEAD requests like GET requests, which was causing issues due to lack of compliance to RFC9110 standards. By updating the code to be more compliant with these standards, modules such as auxiliary/scanner/http/http_header now work as expected.
#17438 from ErikWynter – This fixes an issue in the exchange_proxylogon_collector module where it would crash if the LegacyDN was not present in the XML response.
#17454 from prabhatjoshi321 – A bug has been fixed whereby smb_enumshares incorrectly truncated file names before storing them into loot. This has been addressed so that only the console output will contain truncated file names, and the loot files will still contain the full file names for reference.

Documentation added (1)

#17395 from cgranleese-r7 – Adds documentation for both the JSON and MessagePack Metasploit RPC APIs – which is useful for programmatically interacting with Metasploit.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2023-01-06 Brendan Watters

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2023/01/06/metasploit-weekly-wrap-up-4/

Back from a quiet holiday season

Metasploit Weekly Wrap-Up

Thankfully, it was a relatively quiet holiday break for security this year, so we hope everyone had a relaxing time while they could. This wrapup covers the last three Metasploit releases, and contains three new modules, two updates, and five bug fixes.

Make sure that your OpenTSDB isn’t too open

Of particular note in this release is a new module from community contributors Erik Wynter and Shai rod
which adds a new exploit module for CVE-2020-35476, an unauthenticated command injection vulnerability in the yrange parameter in OpenTSDB <= 2.4.0.

OpenTSDB is a monitoring software that runs on top of Hadoop and HBase to allow users to serve large amounts of time-series data without losing any granularity in the data itself. If you are wondering what that host mess of buzzwords means, it simply means that it is a database optimized to store events or measurements that are time-stamped. This also means that the target is likely to be storing a lot of metrics data, which may also include sensitive internal operations, making it a prime target for exploitation.

Successful exploitation of this vulnerability will result in remote code execution as the root user, meaning that an attacker can go from being completely unauthenticated to having full control over affected OpenTSDB devices. This could then allow the attacker
to pivot further into the target network, using either the privileges they have gained on the OpenTSDB device, or details from the logs on the OpenTSDB device, which may provide insight into weaknesses of the network or give access to sensitive information.

New module content (3)

Linear eMerge E3-Series Access Controller Command Injection by Gjoko Krstic (gjoko[at]applied-risk.com) and h00die-gr3y, which exploits CVE-2019-7256, an unauthenticated command injection vulnerability in Linear eMerge E3 versions 1.00-06 and below in the No and door parameters of card_scan_decoder.php. Successful exploitation results in RCE as the root user.
OpenTSDB 2.4.0 unauthenticated command injection by ErikWynter and Shai rod, which exploits CVE-2020-35476, an unauthenticated command injection vulnerability in OpenTSDB through 2.4.0.
SolarWinds Orion Secrets Dump by Rob Fuller and npm-cesium137-io – This adds a post module for extracting encrypted credentials from SolarWinds Orion NPM.

Enhancements and features (2)

#17258 from h00die – This updates the SharpHound post module to use version 1.1.0 of SharpHound, which works with Bloodhound 4. This includes both the .ps1 and binary from the original repository.
#17380 from smashery – The list of user agent strings inside lib/rex/user_agent.rb has been updated to reflect the latest user agents as of December 2022.

Bugs fixed (5)

#17334 from bcoles – Multiple improvements to modules/post/linux/gather/enum_commands, including fixing a crash when attempting to search a path that doesn’t exist
#17389 from ErikWynter – log4shell_header_injection bugfix to prevent NoMethodError for nil:NilClass
#17409 from adfoster-r7 – Update rhost walker to handle interrupt signal
#17416 from MegaManSec – The jenkins_gather.rb module has been updated to use .blank? instead of .empty? when handling SSH Key details to prevent crashes should the various elements of the SSH Key be empty or nil.
#17435 from jmartin-r7 – A bug has been fixed whereby some modules were accidentally updated to use smtp_send_recv when they did not import the required Exploit::Remote::SMTPDeliver mixin. These modules have been updated to use the appropriate raw_send_recv method instead.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

2022 Annual Metasploit Wrap-Up

2022-12-30 Spencer McIntyre

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/12/30/2022-metasploit-wrap-up/

2022 Annual Metasploit Wrap-Up

It’s been another gangbusters year for Metasploit, and the holidays are a time to give thanks to all the people that help make our load a little bit lighter. So, while this end-of-year wrap-up is a highlight reel of the headline features and extensions that landed in Metasploit-land in 2022, we also want to express our gratitude and appreciation for our stellar community of contributors, maintainers, and users. The Metasploit team merged 824 pull requests across Metasploit-related projects in 2022, more than 650 of which were incorporated into the main metasploit-framework repository. If you fixed a typo, linked a new reference, or cleaned up some code spaghetti, thank you!

Active Directory Certificate Services attacks

For years now, penetration testers and attackers have emphasized Active Directory as a particularly juicy and valuable attack surface area. In 2021, we saw fresh attack research that outlined new techniques for targeting Active Directory Certificate Services, or AD CS, including multiple configuration flaws that can be leveraged to escalate permissions from a domain user to a privileged account. In response to requests from our user community, Metasploit released two modules in the second half of 2022 that support AD CS attack techniques:

auxiliary/gather/ldap_esc_vulnerable_cert_finder can be used by an authenticated AD user to enumerate Certificate Authorities (CAs) and find vulnerable certificate templates.
auxiliary/admin/dcerpc/icpr_cert allows users to issue certificates from AD CS with a few options that are used for exploiting some escalation (ESC) scenarios. Currently only escalation technique 1 (ESC1) can be exploited with the available options, but support for more techniques is planned.

Linux credential extraction with Mimipenguin

Metasploit expanded our post-exploitation capabilities for extracting plaintext credentials on Linux systems by porting the Mimipenguin utility to Metasploit. This allows users to extract credentials for a variety of services from an established Meterpreter session, including the gnome-keyring-daemon, vsftpd and sshd. Under the hood, this functionality uses a new Meterpreter API that allows searching through process memory.

Metasploit plays well with others

This year Metasploit added a few different ways of supporting interoperability with other offensive security tools. First up is the BOF Loader for COFF files, which enables usage of Cobalt Strike’s Beacon Object File format from within the Windows Meterpreter. This extension can also use BOF files written for Sliver. We’ve also made an improvement this year to allow users to bring their own payloads and stages from other tools and formats. If you’re a Sliver user, you can now deploy a Sliver agent as a custom payload stage, and we will use our own Metasploit stagers to upload and run the custom shellcode on the target.

Holiday hacking challenge

Metasploit teamed up with TryHackMe to deliver a challenge as part of their Advent of Cyber event, which ran for the month of December. The Metasploit challenge debuted on December 9 and walked users through a fun Christmas-themed story where they were able to use some of Metasploit’s latest pivoting capabilities. A walk-through is available under Task 9 on the official event page.

Sixth `getsystem` technique

Metasploit added a new technique to everyone’s favorite Meterpreter command in the middle of 2022 with help from cdelafuente-r7, who incorporated the newest named-pipe impersonation-based technique (the EfsPotato variant). This particular vulnerability affects Windows Vista / Server 2008 and later can be executed entirely in memory to escalate the current session to NT AUTHORITY\SYSTEM without spawning a new process. For more information about this and other getsystem techniques, check out the new module documentation. (Pro tip: Specific techniques can be used by number!)

Post API improvements and maintenance

Community member bcoles made more than 100 pull requests to improve and maintain the post-exploitation API used by Metasploit’s 400+ post modules. This enormous effort is greatly appreciated and has fixed numerous bugs, added new functionality, and made general improvements that benefit both end users and module developers alike. Among those improvements are removing quite a few lingering Meterpreter scripts (which were replaced by post modules in 2011) and adding shell session support for a few enumeration modules. The shell session support is particularly useful when combined with 2021’s payload-less session improvements because it bypasses the need to address evasion with Meterpreter.

New contributors

We would like to thank the community for all the work done this year. Particularly, we want to give a big shout out to the 45 new contributors that added great content to Metasploit. Some of these folks even added modules for celebrity vulnerabilities or flaws that were being actively exploited in the wild, such as Apache Spark RCE (CVE-2022-33891), Spring Cloud Gateway RCE (CVE-2022-22947) or Spring Framework RCE (CVE-2022-22965). We’re grateful to all our contributors for submitting modules that help organizations test their defenses, demonstrate risk, and prioritize mitigations.

New contributor	# of modules
h00die-gr3y	5
krastanoel	4
npm-cesium137-io	4
Ayantaker	1
PazFi	1
c0rs	1
giacomo270197	1
jerrelgordon	1
m4lwhere	1
mauricelambert	1
rad10	1
talhakarakumru	1
usiegl00	1
vleminator	1

Others contributed to make Metasploit even better with enhancements, fixes and documentation:

New contributors
3V3RYONE
AtmegaBuzz
EmilioPanti
ILightThings
Invoke-Mimikatz
NikitaKovaljov
ORelio
Ronni3X
VanSnitza
bojanisc
darrenmartyn
dismantl
entity0xfe
erikbomb
flogriesser
kalidor
lap1nou
llamasoft
luisfso
mauvehed
memN0ps
mrshu
namaenonaimumei
nfsec
nzdjb
ojasookert
om3rcitak
r3nt0n
rtpt-alexanderneumann
shoxxdj
ssst0n3
zha0gongz1

New module highlights

exploit/linux/http/fortinet_authentication_bypass_cve_2022_40684 – This exploit contributed by community member heyder facilitated unauthenticated code execution on multiple Fortinet products including FortiOS, FortiProxy and FortiSwitchManager.
exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144 – Despite having a 2021 CVE, this particular vulnerability, contributed by community member h00die-gr3y, gained attention in 2022 for being an unauthenticated RCE in VMware’s NSX product. Being a deserialization vulnerability, exploitation is smooth and reliable.
auxiliary/gather/ldap_query – This new module allows users to gather useful information from an Active Directory Domain Services (AD DS) LDAP server. Metasploit currently includes 28 predefined queries for common actions like enumerating LAPS passwords, computer accounts, and users with configured Service Principal Names (SPNs) for Kerberoasting. Metasploit users can even define their own queries for use with the module.
exploit/linux/local/vcenter_java_wrapper_vmon_priv_esc – This module, from community contributor h00die, added in support for CVE-2021-22015. vCenter is frequently targeted by attackers, so h00die’s contribution goes a long way in helping pen testers better assess the security of vCenter servers during their engagements.
exploit/linux/http/cisco_asax_sfr_rce – This module was added by jbaines-r7 and incorporated an exploit for CVE-2022-20828 that allows authenticated attackers to gain root-level shells on vulnerable Cisco ASA-X devices with FirePOWER Services enabled. These devices are frequently positioned in sensitive pivots within networks, and are prime targets for attackers, so gaining RCE on these devices often results in access to privileged networks and/or data.
exploit/multi/veritas/beagent_sha_auth_rce – This module from community contributor c0rs exploits CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878 in Veritas Backup Exec Agent to bypass authentication and gain remote code execution as SYSTEM/root. This is quite a nice vulnerability since backup agents typically have access to sensitive information, so any compromise of such devices typically leads to access to sensitive company data. Combine this with SYSTEM/root privileges as an unauthenticated remote user, and you have a decent vulnerability for gaining initial access into a network and gaining information to start your pivoting attempts to other segments of that network.

Version 6.2 released

Over the summer, the Metasploit team announced the release of Metasploit Framework 6.2, which included a number of new features. Some of the highlights:

A streamlined authentication capturing plugin
An SMB 2 and 3-capable file server
Improved options for handling NATed services
Improved SMB relaying

We’re planning a 6.3 feature release in early 2023, so stay tuned for the next round of new Metasploit capabilities and improvements!

E-Z-2-contribute documentation

As of the 6.2 release, Metasploit has a new, user-contributable docs site at https://docs.metasploit.com/. Want to contribute to Metasploit, but don’t want to monkey around with Ruby or exploit code? We can always use more and better documentation on your favorite Metasploit features, workflows, and improvements. Get in there and help us teach people how hacking works!

From all of us at Rapid7, we wish you a very happy new year. As always, you can get the latest Metasploit updates every Friday in our weekly wrap-up, and you can stay up-to-date on vulnerability intelligence with AttackerKB.

Metasploit Weekly Wrap-Up

2022-12-16 Brendan Watters

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2022/12/16/metasploit-weekly-wrap-up-187/

A sack full of cheer from the Hacking Elves of Metasploit

Metasploit Weekly Wrap-Up

It is clear that the Metasploit elves have been busy this season: Five new modules, six new enhancements, nine new bug fixes, and a partridge in a pear tree are headed out this week! (Partridge nor pear tree included.) In this sack of goodies, we have a gift that keeps on giving: Shelby’s Acronis TrueImage Privilege Escalation works wonderfully, even after the software is uninstalled.

If you prefer elf files to holiday elves, we’ve still got you covered

Jan Rude submitted two modules targeting Syncovery for Linux. One takes advantage of an insecure session token generator and allows for the brute-force creation of a token that matches that of a logged-in user, and the other allows an authenticated user to create a job that will run when a user’s profile is run.

New module content (5)

Syncovery For Linux Web-GUI Session Token Brute-Forcer by Jan Rude, which exploits CVE-2022-36536 – A new login scanner module that brute-forces a valid session token for the Syncovery File Sync & Backup Software Web-GUI. This will work if the default user is already logged in the application. If they do not logout, the token stays valid until the next reboot.
Acronis TrueImage XPC Privilege Escalation by Csaba Fitzl and Shelby Pace, which exploits CVE-2020-25736 – This module exploits a local privilege escalation vulnerability in Acronis TrueImage versions 2019 update 1 through 2021 update 1 on macOS. This vulnerability is identified as CVE-2020-25736. By abusing a local helper executable, it is possible to execute arbitrary commands as the root user.
Syncovery For Linux Web-GUI Authenticated Remote Command Execution by Jan Rude, which exploits CVE-2022-36534 – This adds a module that exploits an authenticated remote code execution vulnerability identified as CVE-2022-36534 in the Web GUI of Syncovery File Sync & Backup Software for Linux. The module leverages a flaw in the application that allows the creation of jobs that will be executed when a profile is run. This allows the execution of arbitrary commands as the root user.
F5 Big-IP Gather Information from MCP Datastore by [Ron Bowes] (https://github.com/rbowes-r7) – This adds a post module for gathering facts from an F5 system’s MCP database protocol.

Enhancements and features (6)

#17191 from liangjs – This PR fixes a bug where the Windows Subsystem for Linux crashes when using a reverse_tcp x64 stager because of data in the upper bits of the RDI register when the syscall occurs.
#17255 from JustAnda7 – The command payloads have been updated to allow specifying the file system path for several of their commands within datastore options. This should allow users to specify these commands locations should they not be contained within the searchable PATH.
#17346 from adfoster-r7 – The logic for counting threads within lib/metasploit/framework/spec/threads/suite.rb has been updated to appropriately count and document the known threads that can be left behind when running the rspec test suite. This fixes an intermittent rspec crash.
#17355 from adfoster-r7 – The creds command has been updated to show the full SSH key contents when running the creds -v command or when exporting to a file with creds -o output.txt. Previously only a shortened fingerprint string would be shown to the user.
#17357 from adfoster-r7 – The docs site has been updated to support mermaid graphs for rendering diagrams to assist with explanations.
#17387 from smashery – The hosts, services, vulns and notes command have been updated to support tab expansion in paths using the ~ character when using the -o option to specify the path to the file to write the output to.

Bugs fixed (9)

#17345 from adfoster-r7 – A crash has been fixed when using the report API with verbose mode enabled and no active DB.
#17350 from smashery – This updates three UAC bypass modules to remove a hard coded delay in favor of using the module’s builtin cleanup method. This results in the user having access to the interactive session without needing to wait.
#17351 from smashery – This fixes an issue in the exploit/windows/local/s4u_persistence module where the default value for FREQUENCY would cause an error.
#17352 from smashery – A bug has been fixed in the file_version method for Windows Meterpreter, which would cause the session to crash if it was run on a file that did not exist on the target system.
#17361 from jmartin-r7 – A bug has been fixed that would cause a crash when running the exit command from within msfconsole when running msfconsole with a 3.1.x release of Ruby.
#17366 from zeroSteiner – The upload and download commands used by shell sessions have been updated to handle directory destinations in the same way as the Meterpreter equivalents do, and to fix some bugs when uploading and downloading files that would prevent errors from being displayed and might cause session crashes.
#17368 from adfoster-r7 – Fixes a regression issue with msfvenom payload generation for large payloads taking more than 5 minutes to generate when outputting as hex format. Now it takes a few seconds as normal.
#17370 from jmartin-r7 – A bug has been fixed in the smb_enumshares.rb whereby if a SMBv1 connection is used a call was made to the net_share_enum_all function on the wrong object. This has since been updated to address this error.
#17378 from gwillcox-r7 – A bug has been fixed in the Meterpreter payloads that was preventing Python Meterpreter from being able to utilize its EventLog API properly. Additionally a bug has been fixed in the COFFLoader that prevented BOFLoader from working with some COFF files.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Wrap-Up

2022-12-09 Zachary Goldman

Post Syndicated from Zachary Goldman original https://blog.rapid7.com/2022/12/09/metasploit-wrap-up-156/

Login brute-force utility

Metasploit Wrap-Up

Jan Rude added a new module that gives users the ability to brute-force login for Linux Syncovery. This expands Framework’s capability to scan logins to Syncovery, a popular web GUI for backups.

WordPress extension SQL injection module

Cydave, destr4ct, and jheysel-r7 contributed a new module that takes advantage of a vulnerable WordPress extension. This allows Framework users to take advantage of CVE-2022-0739, leveraging a UNION-based SQL injection to gather hashed passwords of WordPress users. For vulnerable versions, anyone who can access the BookingPress plugin page will also have access to all the credentials in the database, yikes! There are currently 3,000 active installs of the plugin, which isn’t a huge number by WordPress standards—but the ease of remote exploitation makes it a fun addition to the framework.

New module content (3)

WordPress BookingPress bookingpress_front_get_category_services SQLi by cydave, destr4ct, and jheysel-r7, which exploits CVE-2022-0739 – A new module has been added for CVE-2022-0739 which is an unauthenticated SQL injection in WP BookingPress prior to 1.0.11 in the bookingpress_front_get_category_services AJAX action.
Syncovery For Linux Web-GUI Login Utility by Jan Rude – This adds a login scanner module for Syncovery for Linux.
VMware vCenter "vScalation" Privilege Escalation by Yuval Lazar and h00die, which exploits CVE-2021-22015 – This PR adds a privilege escalation for users in the cis group to escalate to root on certain versions of vCenter. A service file /usr/lib/vmware-vmon/java-wrapper-vmon has improper permissions allowing cis group members to write to it. Upon host reboot or vmware-vmon service restart, a root shell is obtained.

Enhancements and features (2)

#17214 from h00die – This PR improves upon the data gathered on a vCenter server originally implemented in #16871, including library integration, optimization, and de-duplication.
#17332 from bcoles – Updates windows/gather/enum_proxy to support non-Meterpreter sessions (shell, PowerShell).

Bugs fixed (5)

#17183 from rbowes-r7 – This adds some small changes, cleanups, and fixes to the linux/http/zimbra_unrar_cve_2022_30333 and linux/http/zimbra_cpio_cve_2022_41352 Zimbra exploit modules, along with linux/local/zimbra_slapper_priv_esc documentation. Particularly, this fixes an issue that prevented the exploit modules from working properly when the handler was prematurely shut down.
#17305 from cgranleese-r7 – Updates Metasploit’s RPC to automatically choose an appropriate payload if module.execute is invoked without a payload set. This mimics the functionality of msfconsole.
#17323 from h00die – Fixes a bug when attempting to detect enlightenment_sys in exploits/linux/local/ubuntu_enlightenment_mount_priv_esc.
#17330 from zeroSteiner – This fixes an issue in the ProxyShell module, which limited the email enumeration to 100 entries. Now, it correctly enumerates all the emails before finding one that is suitable for exploitation.
#17342 from gwillcox-r7 – This adds the necessary control to the search queries used to find vulnerable certificate templates in an AD CS environment. Prior to this, non-privileged users would not be able to read the security descriptor field.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.

To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

2022-12-02 Navya Harika Karaka

Post Syndicated from Navya Harika Karaka original https://blog.rapid7.com/2022/12/02/metasploit-weekly-wrap-up-186/

Metasploit Weekly Wrap-Up

I ## ProxyNotShell
This week’s Metasploit release includes an exploit module for CVE-2022-41082, AKA ProxyNotShell by DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q, Orange Tsai, Piotr Bazydło, Rich Warren, Soroush Dalili, and our very own Spencer McIntyre. The vulnerability CVE-2022-41082, AKA ProxyNotShell is a deserialization flaw in Microsoft Exchange’s PSRP backend. Microsoft Exchange Server 2019, Exchange Server 2016 and Exchange Server 2013 are vulnerable to a server-side request forgery (SSRF) attack and remote code execution. An authenticated attacker can use the combination of these two vulnerabilities to elevate privileges and execute arbitrary code on the target Exchange server. For more information, see CVE-2022-41082 and CONTROL YOUR TYPES OR GET PWNED. The ProxyNotShell exploit also added new Exchange SSRF functionality that allows both it and the previous ProxyShell module to target Exchange server instances which utilize a Data Access Group (DAG) backend. The Metasploit team has yet to see another public Proof of Concept that takes this configuration type into account.

Remote Control Collection RCE

Community contributors h00die and H4rk3nz0 also introduced another exploit module in this week’s release. This module targets the remote control software which allows a remote person to connect and execute screen commands via mobile devices. Note that this module will only deploy a payload if the server is set without a password (default). A side note, if you’re looking to learn more about how you can use metasploit to hack target servers using remote code vulnerabilities, you might find this video (https://www.youtube.com/watch?v=eLbBR956Tgw) helpful.

New module content (2)

Microsoft Exchange ProxyNotShell RCE by DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q, Orange Tsai, Piotr Bazydło, Rich Warren, Soroush Dalili, and Spencer McIntyre, which exploits CVE-2022-41082 – This adds an exploit module for CVE-2022-41082, AKA ProxyNotShell. This vulnerability is a deserialization flaw in Microsoft Exchange’s PSRP backend. The PSRP backend can be accessed by an authenticated attacker leveraging the SSRF flaw identified as GHSA-6ph7-8wxv-6gf2. Together, these vulnerabilities allow an authenticated attacker to execute arbitrary commands on a Microsoft Exchange Server.
Remote Control Collection RCE by H4rk3nz0 and h00die – This PR adds an exploit targeting the Remote Control Server software which allows remote control of a PC, now including running a payload.

Enhancements and features (1)

#17304 from om3rcitak – Improves auxiliary/scanner/http/tomcat_mgr_login.rb error message on 401 status codes to include the user defined URI.

Bugs fixed (2)

#17163 from jheysel-r7 – This fixes a bug in the check method where we left an artifact on disk.
#17299 from smashery – This fixes a bug in the polkit_dbus_auth_bypass module that prevented it from working with certain session types.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-11-25 Christopher Granleese

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2022/11/25/metasploit-weekly-wrap-up-185/

F5 Big-IP

Metasploit Weekly Wrap-Up

This week’s Metasploit release contains 2 new modules released as part of the Rapid7 F5 BIG-IP and iControl REST Vulnerabilities research article.

These discoveries were made by our very own Ron Bowes, who developed an exploit module for authenticated RCE against F5 devices running in appliance mode to achieve a Meterpreter session as the root user.

Ron Bowes has also developed an F5 Metasploit module exploiting CVE-2022-41622, a CSRF vulnerability in F5 Big-IP versions 17.0.0.1 and below – which leads to an arbitrary file overwrite as root. With this module, a user can choose to overwrite various system files to achieve a Meterpreter session as the root user.

For more information, see Rapid7’s blog post which detail the vulnerabilities.

DuckyScript support

Community contributor h00die contributed an enhancement to msfvenom. This adds the ducky-script-psh format to msfvenom:

msfvenom -p windows/meterpreter/reverse_tcp -f ducky-script-psh lhost=127.0.0.1 lport=444

This allows users to create payloads that are compatible with Bad USB devices such as the Flipper Zero.

New module content (3)

F5 BIG-IP iControl Authenticated RCE via RPM Creator by Ron Bowes, which exploits CVE-2022-41800 – This adds an authenticated RCE for F5 devices that leverages the command injection flaw identified in CVE-2022-41800.
F5 BIG-IP iControl CSRF File Write SOAP API by Ron Bowes, which exploits CVE-2022-41622 – This module exploits a CSRF vulnerability in F5 Big-IP versions 17.0.0.1 and below which leads to an arbitrary file overwrite as root. With this module, a user can choose to overwrite various system files to achieve a Meterpreter session as the root user.
ChurchInfo 1.2.13-1.3.0 Authenticated RCE by m4lwhere, which exploits CVE-2021-43258 – A new module has been added for CVE-2021-43258 which exploits a flaw whereby, when emailing users in the ChurchInfo database with attachments, the uploaded file is hosted in a web accessible location under the ChurchInfo web root before the email is sent. An authenticated attacker can abuse this to gain RCE as the www-user user.

Enhancements and features (6)

#17145 from k0pak4 – This PR adds the ability to authenticate via hash and improves the error reporting when authentication fails.
#17279 from h00die – This adds the ducky-script-psh format to msfvenom so it can create payloads that are compatible with Bad USB devices such as the Flipper Zero.
#17283 from bcoles – Improves the linux/gather/enum_psk module, and adds documentation
#17284 from bcoles – Updates modules/post/linux/gather/enum_network and modules/post/linux/gather/tor_hiddenservices to extract hostname details in a similar fashion to other modules
#17285 from bcoles – Improves validation in linux/gather/tor_hiddenservices to ensure that the locate command is present before running the module
#17296 from jmartin-r7 – Adds clarification to the module documentation that links to external resources are not controlled by project maintainers. These external resources may no longer exist and are subject to malicious takeover in the future. These links should be reviewed accordingly.

Bugs fixed (1)

#17277 from adfoster-r7 – Fixes a crash within the python reverse http stager.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-11-18 Spencer McIntyre

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/11/18/metasploit-weekly-wrap-up-184/

Pre-authenticated Remote Code Execution in VMware NSX Manager using XStream (CVE-2021-39144)

Metasploit Weekly Wrap-Up

There’s nothing quite like a pre-authenticated remote code execution vulnerability in a piece of enterprise software. This week, community contributor h00die-gr3y added a module that targets VMware NSX Manager using XStream. Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of root on the appliance. VMware saw this vulnerability as such a risk, and they decided to release patches for versions that were no longer supported, which goes to show the value that this module provides.

Gitea Git Fetch Remote Code Execution (CVE-2022-30781)

Using Gitea in your environment? You better git-to-patching. Community contributor krastanoel wrote an awesome module which exploits a remote code execution vulnerability in versions of Gitea before 1.16.7. The vulnerability identified as CVE-2022-30781 is due to the application running a git fetch command in which an attacker can inject arbitrary commands resulting in code execution as the git user.

Metasploit on Twitch

This week Metasploit’s very own Spencer McIntyre went live on Twitch and went over writing Meterpreter features in Metasploit. Be sure to check out the recording and stay tuned for more fun and informative Metasploit streaming sessions.

New module content (2)

VMware NSX Manager XStream unauthenticated RCE by Sina Kheirkhah, Steven Seeley, and h00die-gr3y, which exploits CVE-2021-39144 – This adds an exploit module that leverages a Remote Command Injection vulnerability in VMware Cloud Foundation 3.x and NSX Manager Data Center for vSphere up to and including version 6.4.13. This vulnerability is identified as CVE-2021-39144.
Gitea Git Fetch Remote Code Execution by krastanoel, li4n0, and wuhan005, which exploits CVE-2022-30781 – This adds an exploit module that leverages a command injection vulnerability in Gitea. Due to an improper escaping of input, it is possible to execute commands on the system abusing the Gitea repository migration process. This vulnerability is identified as CVE-2022-30781 and affects Gitea versions prior to 1.16.7.

Enhancements and features (2)

#17243 from adfoster-r7 – Improves the TLV packet logging for Railgun
#17253 from h00die – The list of WordPress plugins and themes has been updated to allow Metasploit tools to scan for a wider range of known themes and plugins on WordPress targets.

Bugs fixed (2)

#17260 from zeroSteiner – This fixes an issue with the RBCD module due to the access_mask field of the Access Control Entry types being changed from the AccessMask type to an integer.
#17263 from zeroSteiner – The Metasploit-payloads gem has been bumped to 2.0.101, which fixes memory and handle leaks when using the incognito plugin’s list_token functionality. It also updates the Mimikatz code in Metasploit to pull in the latest changes.
#17261 from zeroSteiner – This fixes support for port forwarding on Ruby 3 with meterpreter payloads.
#17264 from gwillcox-r7 – This bumps the Go version from 1.11.2 to 1.19.3 in the metasploit-framework Dockerfile.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

Metasploit Weekly Wrap-Up

2022-11-11 Alan David Foster

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2022/11/11/metasploit-weekly-wrap-up-183/

ADCS – ESC Vulnerable certificate template finder

Metasploit Weekly Wrap-Up

Our very own Grant Willcox has developed a new module which allows users to query a LDAP server for vulnerable Active Directory Certificate Services (AD CS) certificate templates. The module will print the detected certificate details, and the attack it is susceptible to. This module is capable of checking for ESC1, ESC2, and ESC3 vulnerable certificates.

Example module output showing an identified vulnerable certificate template:

msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
[*] Running module against 172.26.104.157
[*] Discovering base DN automatically
[+] 172.26.104.157:389 Discovered base DN: DC=daforest,DC=com
[*] Template: SubCA
[*]    Distinguished Name: CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
[*]    Vulnerable to: ESC1, ESC2, ESC3_TEMPLATE_2
[*]    Certificate Template Enrollment SIDs:
[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
[*]    Issuing CAs:
[*]       * daforest-WIN-BR0CCBA815B-CA
[*]          Server: WIN-BR0CCBA815B.daforest.com
[*]          Enrollment SIDs:
[*]             * S-1-5-11 (Authenticated Users)
… etc etc …

SSL Scanner improvements

Community member h00die has made improvements to a new Metasploit’s SSL scanner modules, and combined the functionality of two existing modules auxiliary/scanner/http/ssl.rb auxiliary/scanner/http/ssl_version.rb into one new module auxiliary/scanner/ssl/ssl_version.rb. This new module has added checks for Deprecated protocols, expired/not valid certs, low key strength, Null cipher suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST.

Reduced Python payload sizes

Community member llamasoft has recently contributed improvements to our Python payloads, with the first change being a modification to the Python Meterpreter stage to calculate the necessary data for AES encryption at runtime – which helped reduce the stage size by about 6,000 bytes. This week’s Metasploit release includes compression support using zlib. This change reduces the size of the Python Meterpreter from 95kb to 24kb.

New module content (4)

Misconfigured Certificate Template Finder by Grant Willcox – This adds a module that analyzes certificate templates to identify ones that are vulnerable to ESC1, ESC2 and ESC3. When a template is found to be vulnerable, the necessary information is printed for the user including the template name, the issuing CAs and the SIDs of the users that are able to issue them.
SSL/TLS Version Detection by todb, Chris John Riley, Veit Hailperin, et, and h00die, which detects CVE-2022-3358 – A new module modules/auxiliary/scanner/ssl/ssl_version.rb has been released which replaces the old SSL scanners and offers improved features such as SSL cipher suite checking, improvements to CA Issuers logic, support for expired certs and depreciated protocols, and better error handling.
Reverse Lookup IP Addresses by mubix and bcoles – Adds a new post/multi/recon/reverse_lookup module that reverse resolves an IP address or IP address range to hostnames. The old post/windows/gather/reverse_lookup and post/windows/recon/resolve_ip modules have been removed.
Windows Gather Navicat Passwords by HyperSine and Kali-Team – This adds a post module that retrieves and decrypts passwords saved by Navicat.

Enhancements and features (6)

#17211 from llamasoft – This compresses Python payloads using zlib to make them smaller.
#17219 from jheysel-r7 – Update Zabbix login_scanner to work with version 6.2.4.
#17223 from cgranleese-r7 – The reload_lib functionality has been updated so that its file change tracking logic better takes into account scenarios where files are modified. Previously if a breakpoint was inserted, removed, and then reload_lib -a was run, it would mistakenly use an old copy of the code.
#17234 from cgranleese-r7 – Add references to info -d command in the options and info command outputs. This command allows you to generate a HTML document which you can use to view the full documentation of a module in your browser.
#17235 from jmartin-r7 – Updates auxiliary/scanner/http/manageengine_desktop_central_login module to report the service name correctly as http or https.
#17238 from zeroSteiner and NtAlexio2 – Adds the shutdown command to Window’s Python Meterpreter.

Bugs fixed (3)

#17177 from nzdjb – A bug has been fixed when searching for or attempting to use modules whereby trailing :‘s were not handled appropriately as part of the input, and could lead to all modules in Metasploit being returned.
#17221 from adfoster-r7 -A bug has been fixed that would cause crashes when generating payload sizes. Additionally, the code has been updated to ignore payload metadata for adaptor payloads when determining payload sizes.
#17244 from zeroSteiner – A bug that could cause the hostname command to fail in Mettle versions of Meterpreter has been improved by adding increased validation to the hostname code.
#17220 from adfoster-r7 – This fixes a crash in the peinject stage that would occur when the PE datastore option was not set.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-11-04 Brendan Watters

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2022/11/04/metasploit-weekly-wrap-up-182/

C is for cookie

Metasploit Weekly Wrap-Up

And that’s good enough for Apache CouchDB, apparently. Our very own Jack Heysel added an exploit module based on CVE-2022-24706 targeting CouchDB prior to 3.2.2, leveraging a special default ‘monster’ cookie that allows users to run OS commands.

This fake computer I just made says I’m an Admin

Metasploit’s zeroSteiner added a module to perform Role-based Constrained Delegation (RBCD) on an Active Directory network. If you need someone to vouch for your credentials as an Administrator on a local host and you have a set of specific permissions, this module will allow you to create your own friendly computer object to vouch for you!

Proving your Mettle while watching a fire

FLIR Cameras measure the heat given off by an exothermic reaction, but they also execute Metasploit’s ARM Meterpreter (formerly known as Mettle) payloads as root, thanks to a module by Samy Younsi that takes advantage of CVE-2022-37061, an unauthenticated command injection vulnerability in FLIR AX8 cameras up to and including 1.46.16.

That OpenSSL Vuln was certainly not greater than or equal to the hype

It was a tense and scary Halloween for many when it shouldn’t have been, thanks to a “cryptic” early announcement of an OpenSSL vulnerability that proved to be a bust. On AttackerKB Rapid7 researchers break down why this was not the vuln you feared, or much of a vuln at all.

New module content (5)

FLIR AX8 unauthenticated RCE by Samy Younsi (https://www.linkedin.com/in/samy-younsi), Thomas Knudsen (https://www.linkedin.com/in/thomasjknudsen), and h00die-gr3y, which exploits CVE-2022-37061 – This adds an exploit module that targets FLIR AX8 thermal cameras. A command injection vulnerability exists in the id POST parameter to the res.php endpoint, which can be leveraged by an unauthenticated attacker to achieve RCE as the root user.
Webmin File Manager RCE by faisalfs10x and jheysel-r7, which exploits CVE-2022-0824 – This adds a module that exploits improper access controls in Webmin File Manager. An authenticated attacker can coerce Webmin into downloading a malicious CGIcgi script from an attacker-controlled http server. After that, the attacker can further use File Manager utilities to set execute permissions on the cgi script, execute it, and achieve RCE as the root user.
Apache CouchDB Erlang RCE by 1F98D, Konstantin Burov, Milton Valencia (wetw0rk), _sadshade, and jheysel-r7, which exploits CVE-2022-24706 – A new module has been added to exploit CVE-2022-24706 an RCE within Apache CouchDB prior to 3.2.2 via the Erlang/OTP Distribution protocol, which used a default cookie of "monster" to allow users to connect and run OS commands.
Linux Gather ManageEngine Password Manager Pro Password Extractor by Charles Yost, Christophe De La Fuente, Rob Simon, and Travis Kaun – This post module gathers ManageEngine’s Password Manager Pro credentials from the local ManageEngine database.
#17181 from zeroSteiner – Adds a new auxiliary/admin/ldap/rbcd module which uses LDAP to set the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on the user provided delegate_to datastore option within Active Directory. This technique is used as part of Role Based Constrained Delegation (RBCD) attacks. Example usage: run rhost=192.168.123.13 [email protected] password=p4$$w0rd delegate_to=dc3$ action=WRITE delegate_from=fake_computer. This new module can be used in conjunction with the existing auxiliary/admin/dcerpc/samr_computer module to create the required fake computer account.

Enhancements and features (6)

#17155 from h00die – This PR updates version checking for the recent Remote mouse RCE module and updates the docs with a vulnerable version download link.
#17184 from adfoster-r7 – Updates the metashell upload/download commands to work for powershell and windows sessions.
#17186 from adfoster-r7 – Fixes broken file writes on windows targets when newlines are present within the uploaded file.
#17195 from adfoster-r7 – Fixes uploading binary files with identical names to a Windows shell session. Previously this would silently error and not write the new file contents, now the file contents will successfully be written out.
#17196 from bcoles – Adds new get_hostname library support for Windows sessions.
#17207 from memN0ps – Updates msfvenom and msfconsole to support formatting shellcode as a Rust array. Example usage: msfvenom -p windows/x64/exec cmd='calc.exe' -f rust.

Bugs fixed (3)

#17188 from zeroSteiner – Fixes a regression issue that stopped Python Meterpreter working for v3.1-3.3.
#17190 from zeroSteiner – This sets the bufptr parameter in multiple netapi32 railgun functions to the PLPVOID data type and consequently fixes a crash in the post/windows/gather/enum_domain_tokens module caused by improper data types being set for the bufptr parameter.
#17213 from bwatters-r7 – Fixes a bug that stopped the post/linux/gather/vcenter_secrets_dump module from loading.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-UP

2022-10-28 Shelby Pace

Post Syndicated from Shelby Pace original https://blog.rapid7.com/2022/10/28/metasploit-weekly-wrap-up-180/

GLPI htmLawed PHP Command Injection

Metasploit Weekly Wrap-UP

Our very own bwatters-r7 wrote a module for an unauthenticated PHP command injection vulnerability that exists in various versions of GLPI. The vulnerability is due to a third-party vendor test script being present in default installations. A POST request to vendor/htmlawed/htmlawed/htmLawedTest.php directly allows an attacker to execute exec() through the hhook and test parameters, resulting in unauthenticated RCE as the www-data user. The GLPI project has released an advisory detailing patched versions available for download and also noting that this vulnerability has been seen exploited in the wild.

Vagrant Breakout Exploit

Community contributor bcoles added a module that exploits a built-in Vagrant feature to break out of a Vagrant box and gain access to the host system. Specifically, the shared project folder that exists on the host is mounted on the guest Vagrant box as a writable directory, and the project’s configuration file exists there. Every time a user on the host executes a vagrant command from within the project directory, the Ruby code within the config file gets executed. As a result, an attacker can add arbitrary code to the config file, wait for the user to run a vagrant command, and then gain a shell on the host system with the privileges of the user who ran the command. Since there is no intention to patch this issue, denying the shared folders feature for Vagrant projects is the best way to prevent this.

vCenter Secrets Dump Module

h00die and npm-cesium137-io submitted a post module that targets vCenter appliances. Using an elevated session, this module collects DC credentials, SSO user accounts and hashes, domain information, certificates, and more. The information gathered can be used to add new SSO admin users to vCenter, sign forged SAML assertions, and to dump more data via the auxiliary/gather/vmware_vcenter_vmdir_ldap module.

New module content (3)

GLPI htmLawed php command injection by bwatters-r7 and cosad3s, which exploits CVE-2022-35914 – This PR adds a module for CVE-2022-35914, a php command injection vulnerability in GLPI versions up to and including 10.0.2.
Vagrant Synced Folder Vagrantfile Breakout by bcoles – This PR adds a module that exploits a default Vagrant shared folder to append a Ruby payload to the Vagrant project Vagrantfile config file. The payload gets executed the next time the user runs a vagrant command.
vCenter Secrets Dump by h00die and npm-cesium137-io – This PR adds the post/linux/gather/vcenter_secrets_dump module to dump vCenter vmdir dcAccountPassword and platform certificates.

Enhancements and features (7)

#16979 from gwillcox-r7 – This improves the existing ldap_query module by allowing it to decode some data types into a human readable format.
#17050 from usiegl00 – This updates the osx stager to no longer write artifacts to disk when performing in-memory code loading.
#17071 from gwillcox-r7 – This adds additional predefined LDAP queries to the existing ldap_query module that can help enumerate specific information in support of certain attack paths.
#17128 from cgranleese-r7 – Updates auxiliary/scanner/smb/smb_enumshares to support specifying a share name such as run smb://Account:Password@TargetIP spidershares=true showfiles=true share=TargetShareName. Useful files are now also highlighted automatically.
#17164 from r3nt0n – This adds a new option, THEME_DIR to the exploit/multi/http/wp_crop_rce module that is useful when the current WordPress theme cannot be auto-detected by the module or when a user leverages other means of determining the theme.
#17176 from llamasoft – This updates the Python Meterpreter stage to calculate the necessary data for AES encryption at runtime which reduces the stage size by about 6,000 bytes.
#17185 from adfoster-r7 – Updates msfconsole’s tips command to include the analyze command, as well as hosts -R and services -R

Bugs fixed (2)

#17172 from bcoles – Fixes a bug in Msf::Post::File.append_file which caused file contents to be overwritten on non-Windows sessions.
#17187 from ErikWynter – Fixes an issue in the aerohive_netconfig_lfi_log_poison_rce exploit module that resulted in the vulnerable version 10.0r8 being flagged as non-vulnerable

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Weekly Wrap-Up

2022-10-21 Spencer McIntyre

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/10/21/metasploit-weekly-wrap-up-181/

Zimbra with Postfix LPE (CVE-2022-3569)

Metasploit Weekly Wrap-Up

This week rbowes added an LPE exploit for Zimbra with Postfix. The exploit leverages a vulnerability whereby the Zimbra user can run postfix as root which in turn is capable of executing arbitrary shellscripts. This can be abused for reliable privilege escalation from the context of the zimbra service account to root. As of this time, this vulnerability remains unpatched.

Zimbra RCE (CVE-2022-41352)

rbowes also added an RCE for Zimbra as well. This exploit can be used to remotely obtain the initial access necessary to exploit CVE-2022-3569 and escalate privileges to root. This exploit leverages a path traversal vulnerability to write a malicious JSP file to the web directory which yields code execution. The vulnerability does not require authentication however it should be noted that pax must not be present on the target in order for it to be exploitable. A Zimbra patch adds pax as a requirement, so either the patch must not have been applied or pax must have been explicitly removed.

FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass (CVE-2022-40684)

Community member heyder submitted an exploit for multiple Fortinet products this week. The exploit involves an authentication bypass that is leveraged to establish an SSH session with the target. Unfortunately, the tested FortiGate v7.2.1 instance used during testing indicated that the target could not be used for SSH port forwarding.

Improved Qualys Scan Import Performance

Metasploit is capable of importing scan data produced by a variety of tools such as Qualys and Nessus. This week jmartin switched the XML parser used while processing Qualys scan files to obtain a dramatic performance improvement. Scans data which previously took hours to import takes only a few minutes now.

New module content (4)

Unauthenticated information disclosure such as configuration, credentials and camera snapshots of a vulnerable Hikvision IP Camera by Monte Crypto and h00die-gr3y, which exploits CVE-2017-7921 – This adds an auxiliary module that leverages an authentication bypass vulnerability in Hikvision IP cameras (CVE-2017-7921) to disclose information such as detailed hardware and software configuration, user credentials, and camera snapshots.
Fortinet FortiOS, FortiProxy, and FortiSwitchManager authentication bypass. by Heyder Andrade and Zach Hanley, which exploits CVE-2022-40684 – This PR adds a remote code execution exploit module for CVE-2022-4068 affecting some Fortinet products
TAR Path Traversal in Zimbra (CVE-2022-41352) by Alexander Cherepanov, Ron Bowes, and yeak, which exploits CVE-2022-41352 – This adds a module that exploits a symlink-based path traversal vulnerability in cpio to get unauthenticated remote code execution as the zimbra user. This vulnerability is identified as CVE-2022-41352. The module generates a .tar file that will need to be emailed to any user on the target Zimbra server.
Zimbra sudo + postfix privilege escalation by EvergreenCartoons and Ron Bowes, which exploits CVE-2022-3569 – This adds a new module to exploit a vulnerable sudo configuration in Zimbra that permits the zimbra user to execute postfix as root. In turn, postfix can execute arbitrary shell scripts and get command execution as the root user. Currently, as of 2022-10-14, all versions of Zimbra are vulnerable.

Enhancements and features (4)

#16982 from h00die – Updates the Dell iDRAC login scanner to work with version 8 and version 9
#17135 from k0pak4 – This adds proper namespace to the hash identification library to avoid any potential collision with the constants defined previously.
#17140 from nfsec – The Metasploit Docker image’s Alpine version has been bumped from 3.12 to 3.15.
#17154 from jmartin-r7 – The process for importing Qualys scan data has been switched over from REXML to using Nokigiri::XML and XPath for improved performance.

Bugs fixed (1)

#17157 from k0pak4 – Setting the global options to set LHOST for all modules will now be properly respected when loading a module, whereas before only the globally set RHOST option would be respected.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Metasploit Wrap-Up

2022-10-14 Christophe De La Fuente

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2022/10/14/metasploit-wrap-up-155/

Spring Cloud Gateway RCE

Metasploit Wrap-Up

This week, a new module that exploits a code injection vulnerability in Spring Cloud Gateway (CVE-2022-22947) has been added by @Ayantaker. Versions 3.1.0 and 3.0.0 to 3.0.6 are vulnerable if the Gateway Actuator endpoint is enabled, exposed and unsecured. The module sends a specially crafted SpEL expression to this endpoint and gets command execution as the user running Spring Cloud Gateway. A first request is sent to create a route with a filter including the SpEL expression which will be parsed with a StandardEvaluationContext. A second request is sent to reload the route and trigger code execution.

pfSense pfBlockNG plugin unauthenticated RCE

Our very own @jheysel-r7 added a module that exploits an OS command injection vulnerability in pfSense’s pfBlockerNG plugin versions 2.1.4_26 and below and identified as CVE-2022-31814. The module sends an HTTP request with a payload in the Host: header, which will be executed by the PHP’s exec() function. This leads to unauthenticated remote command execution as root. Note that this pfSense module is not installed by default but is commonly used to block inbound connections from countries or IP ranges.

New module content (2)

Spring Cloud Gateway Remote Code Execution by Ayan Saha, which exploits CVE-2022-22947 – A new module has been added in for CVE-2022-22947, an unauthenticated RCE in Spring Cloud Gateway versions 3.1.0 and 3.0.0 to 3.0.6 when the Gateway Actuator endpoint is enabled, exposed and unsecured. Successful exploitation results in arbitrary code execution as the user running Spring Cloud Gateway.
pfSense plugin pfBlockerNG unauthenticated RCE as root by IHTeam and jheysel-r7, which exploits CVE-2022-31814 – A module has been added for CVE-2022-31814, an unauthenticated RCE in the pfSense plugin within pfBlockerNG that allows remote unauthenticated attackers to execute execute arbitrary OS commands as root via shell metacharacters in the HTTP Host header. Versions <= 2.1.4_26 are vulnerable. Note that version 3.X is unaffected.

Enhancements and features (2)

#17123 from h00die – The netrc and fetchmail modules have been updated to include documentation on how to use the modules.
#17092 from bcoles – This PR updates the netlm_downgrade module, providing documentation, extending it to support more session types, and fixing some bugs that were present which caused false-positive warnings to appear.

Bugs fixed (3)

#16987 from jmartin-r7 – Improves scanner/smb/smb_login to gracefully handle additional error conditions when connecting to target services.
#17075 from cdelafuente-r7 – The Windows secrets dump module was failing early for non-administrative users. This fixes the issue so the module now throws warnings where it was previously failing early. Now the module can complete the DOMAIN action whereas before it was failing prior to reaching this point.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

2022-10-07 Grant Willcox

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2022/10/07/metasploit-weekly-wrap-up-179/

Bofloader – Windows Meterpreter Gets Beacon Object File Loader Support

Metasploit Weekly Wrap-Up

This week brings a new and frequently requested feature to the Windows Meterpreter, the Beacon Object File loader. This new extension, bofloader, allows for users to execute Beacon Object Files as written for either Cobalt Strike or Sliver. This extension was provided by a group effort among community members kev169, GuhnooPlusLinux, R0wdyJoe, and skylerknecht.

Documentation is available on the new docs site which walks through using the new extension. Since the bofloader is a full-fledged extension, it can be used without loading stdapi which has been noted as an important setting (set AutoLoadStdapi false) for avoiding detection.

Once a Meterpreter session is loaded along with the bofloader extension, the execute_bof command becomes available. The user needs to specify a path to their BOF file and any necessary arguments.

msf6 exploit(windows/smb/psexec) > set AutoLoadStdapi false
AutoLoadStdapi => false
msf6 exploit(windows/smb/psexec) > exploit


[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] 192.168.159.10:445 - Connecting to the server...
[*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445 as user 'smcintyre'...
[*] 192.168.159.10:445 - Selecting PowerShell target
[*] 192.168.159.10:445 - Executing the payload...
[+] 192.168.159.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (200774 bytes) to 192.168.159.10
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.10:62900) at 2022-10-07 12:10:21 -0400


meterpreter > load bofloader
Loading extension bofloader...

meterpreter                  
   ▄▄▄▄    ▒█████    █████▒  
  ▓█████▄ ▒██▒  ██▒▓██   ▒   
  ▒██▒ ▄██▒██░  ██▒▒████ ░   
  ▒██░█▀  ▒██   ██░░▓█▒  ░   
  ░▓█  ▀█▓░ ████▓▒░░▒█░      
  ░▒▓███▀▒░ ▒░▒░▒░  ▒ ░      
  ▒░▒   ░   ░ ▒ ▒░  ░     ~ by @kev169, @GuhnooPluxLinux, @R0wdyJoe, @skylerknecht ~
   ░    ░ ░ ░ ░ ▒   ░ ░      
   ░          ░ ░  loader    
        ░                    


Success.
meterpreter > execute_bof ../CS-Situational-Awareness-BOF/SA/whoami/whoami.x64.o
[*] No arguments specified, executing bof with no arguments.


UserName		SID
====================== ====================================
MSFLAB\DC$	S-1-5-18




GROUP INFORMATION                                 Type                     SID                                          Attributes               
================================================= ===================== ============================================= ==================================================
BUILTIN\Administrators                            Alias                    S-1-5-32-544                                  Enabled by default, Enabled group, Group owner, 
Everyone                                          Well-known group         S-1-1-0                                       Mandatory group, Enabled by default, Enabled group, 
NT AUTHORITY\Authenticated Users                  Well-known group         S-1-5-11                                      Mandatory group, Enabled by default, Enabled group, 
Mandatory Label\System Mandatory Level            Label                    S-1-16-16384                                  Mandatory group, Enabled by default, Enabled group, 




Privilege Name                Description                                       State                         
============================= ================================================= ===========================
SeAssignPrimaryTokenPrivilege Replace a process level token                     Disabled                      
...             


meterpreter >

If MinGW is available, BOF files can be compiled from source code using the –compile flag.

meterpreter > execute_bof ../../OutputStreams.c --compile
[*] No arguments specified, executing bof with no arguments.
[CALLBACK_OUTPUT]: message
[CALLBACK_ERROR]:  message

meterpreter >

Finally, BOF files which require arguments can be called if the user knows their format. This information would typically come from either reading the BOF file’s source code or documentation. In the following example, the nslookup BOF takes two UTF-8 strings, followed by one int16. The format string details can be found in the documentation along with a table for quick reference in the --help output.

meterpreter > execute_bof ../CS-Situational-Awareness-BOF/SA/nslookup/nslookup.x64.o --format-string zzs metasploit.com 192.168.250.4 1
A metasploit.com 18.67.65.57
A metasploit.com 18.67.65.86
A metasploit.com 18.67.65.104
A metasploit.com 18.67.65.65
NS com f.gtld-servers.net
NS com a.gtld-servers.net
...

meterpreter >

WordPress Elementor RCE – CVE-2022-1329

This week community contributors AkuCyberSec, Ramuel Gall, and h00die landed a nice module for CVE-2022-1329, an authenticated vulnerability in the Elementor Website Builder Plugin for WordPress that allows unauthorized execution of several AJAX actions.

Any authenticated user can exploit this vulnerability to upload a PHP file onto the website. The module takes advantage of this vulnerability to request that the Elementor plugin try to install Elementor Pro from a user supplied zip file, which is something any user wih Subscriber permissions or higher can do. Once the PHP file is uploaded to the target website, the attacker can then browse to the page hosting their PHP file to get RCE as the www-data user.

Ubuntu Enlightment Mount Priv Esc – CVE-2022-37706

Its been a while since we last had a Linux LPE in the framework for Ubuntu, but thanks to some work from community contributors Maher Azzouzi and h00die, we have an exploit for CVE-2022-37706. This takes advantage of a bug within one of Linux’s window managers, called Enlightment, and occurs due to a command injection vulnerability in Enlightment’s enlightment_sys binary. Versions prior to Enlightment 0.25.4 are vulnerable and can be exploited by authenticated users who have a userland shell to gain arbitrary code execution as the root user.

Remote Mouse Server RCE – Unpatched

Community contributors 0RPHON, H4rk3nz0, and h00die brought us a nice vulnerability this week for an unauthenticated RCE via the Emote Interactive protocol, aka CVE-2022-3365. The bug occurs since the authentication for the Emote Interactive protocol never seemed to be enforced according to 0RPHON, the original bug discoverer. Attackers can utilize this vulnerability to gain unauthenticated RCE as the user running Remote Mouse Server. Note that whilst a CVE is assigned, the bug is still unpatched at the time of writing.

New module content (6)

Ubuntu Enlightenment Mount Priv Esc by Maher Azzouzi and h00die, which exploits CVE-2022-37706 – This PR adds a local privilege escalation module. It exploits a cmd injection vulnerability in the window manager, Enlightenment, on Ubuntu.
WordPress Plugin Elementor Authenticated Upload Remote Code Execution by AkuCyberSec, Ramuel Gall, and h00die, which exploits CVE-2022-1329 – This PR adds a new authenticated exploit module against 3 versions of Elementor, a plugin for WordPress. Any user account can use this exploit. It was rated a 9.9 CVSS score and was assigned CVE-2022-1329.
Remote Mouse RCE by 0RPHON, H4rk3nz0, and h00die, which exploits CVE-2022-3365 – This module utilizes the Remote Mouse Server by Emote Interactive protocol to deploy a payload and run it from the server, achieving unauthenticated code execution as the user running the server.
Windows Gather MobaXterm Passwords by cn-kali-team – This module will determine if MobaXterm is installed on the target system and, if it is, it will try to dump all saved session information from the target. The passwords for these saved sessions will then be decrypted where possible.
RedisDesktopManager credential gatherer by cn-kali-team – This PR adds a post module leveraging the existing PackRat library to pull credentials from RedisDesktopManager installations.
Delinea Thycotic Secret Server Dump by npm-cesium137-io – This PR adds a post exploitation module that exports and decrypts Thycotic Secret Server credentials.

Enhancements and features (3)

#16995 from Invoke-Mimikatz – This PR adds a new extension for the C (x86/x64) Meterpreter payload. The extension is called bofloader and can be used to execute COFF files (also known as Beacon Object Files) in the context of the Meterpreter session. It currently adds only one command, bof_cmd, to Meterpreter.
#17086 from bwatters-r7 – This PR bumps Metasploit-payloads to a level that allows support for COFF loading per https://github.com/rapid7/metasploit-framework/pull/16995
#17108 from k0pak4 – Updates the azure_ad_login auxiliary module to check for disabled accounts.

Bugs fixed (3)

#17072 from smashery – This PR fixes a regression discovered when session interaction hangs because a file slated for cleanup is in use, so the framework side times out, but the shell side does not. The fix also includes more robust handling for shell tokens in all types of shells.
#17078 from cgranleese-r7 – This PR updates the deprecated report_auth_info method calls in the modules/auxiliary/scanner/rservices/ modules to now make use of create_credential instead.
#17091 from bcoles – Fixes module metadata for stability and reliability for several modules.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

Basic discover script improvements

Google Summer of Code

Web Based Module Counts

New module content (2)

Froxlor Log Path RCE

pyLoad js2py Python Execution

Enhancements and features (1)

Bugs fixed (2)

Documentation added (2)

Get it

Cisco RV Series Auth Bypass and Command Injection

New module content (2)

Cisco RV Series Authentication Bypass and Command Injection

GitLab GitHub Repo Import Deserialization RCE

Enhancements and features (1)

Bugs fixed (1)

Documentation

Get it

Taking a stroll down memory lane (Tomcat Init Script Privilege Escalation)

Lenovo Diagnostics Driver IOCTL memmove

New module content (8)

Nagios XI 5.5.6 to 5.7.5 – ConfigWizards Authenticated Remote Code Execution

F5 Big-IP Create Admin User

Apache Tomcat on Ubuntu Log Init Privilege Escalation

Fortra GoAnywhere MFT Unsafe Deserialization RCE

ManageEngine ADSelfService Plus Unauthenticated SAML RCE

ManageEngine ServiceDesk Plus Unauthenticated SAML RCE

ManageEngine Endpoint Central Unauthenticated SAML RCE

Lenovo Diagnostics Driver IOCTL memmove

Enhancements and features (3)

Bugs fixed (2)

Documentation added (3)

Get it

Metasploit 6.3 is out!

Dirty Cow available on macOS

New module content (5)

CWP login.php Unauthenticated RCE

io_uring Same Type Object Reuse Priv Esc

vmwgfx Driver File Descriptor Handling Priv Esc

macOS Dirty Cow Arbitrary File Write Local Privilege Escalation

Veeam Backup and Replication Credentials Dump

Enhancements and features (11)

Bugs fixed (4)

Documentation added (1)

Get it

Cacti Unauthenticated Command Injection

Python Meterpreter Gets a Few Upgrades

New module content (1)

Cacti 1.2.22 unauthenticated command injection

Enhancements and features (3)

Bugs fixed (2)

Documentation

Get it

See something say something

New module content (3)

Mirage firewall for QubesOS 0.8.0-0.8.3 Denial of Service (DoS) Exploit

WordPress Paid Membership Pro code Unauthenticated SQLi

Ivanti Cloud Services Appliance (CSA) Command Injection

Enhancements and features (5)

Bugs fixed (3)

Documentation

Get it

New module content (2)

Gather Dbeaver Passwords

Gather MinIO Client Key

Enhancements and features (2)

Bugs fixed (3)

Documentation added (1)

Get it

Back from a quiet holiday season

Make sure that your OpenTSDB isn’t too open

New module content (3)

Enhancements and features (2)

Bugs fixed (5)

Get it

Active Directory Certificate Services attacks

Linux credential extraction with Mimipenguin

Metasploit plays well with others

Holiday hacking challenge

Sixth getsystem technique

Sixth `getsystem` technique